Commit f5779b52 authored by Justin Tee's avatar Justin Tee Committed by Martin K. Petersen
Browse files

scsi: lpfc: Fix possible file string name overflow when updating firmware 



Because file_name and phba->ModelName are both declared a size 80 bytes,
the extra ".grp" file extension could cause an overflow into file_name.

Define a ELX_FW_NAME_SIZE macro with value 84.  84 incorporates the 4 extra
characters from ".grp".  file_name is changed to be declared as a char and
initialized to zeros i.e. null chars.

Signed-off-by: default avatarJustin Tee <justin.tee@broadcom.com>
Link: https://lore.kernel.org/r/20231031191224.150862-3-justintee8345@gmail.com


Reviewed-by: default avatarHimanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
parent 2fe4b6a6

drivers/scsi/lpfc/lpfc.h

+1 −0
Original line number Diff line number Diff line
@@ -33,6 +33,7 @@ 
struct lpfc_sli2_slim;



#define ELX_MODEL_NAME_SIZE	80

#define ELX_FW_NAME_SIZE	84



#define LPFC_PCI_DEV_LP		0x1

#define LPFC_PCI_DEV_OC		0x2

drivers/scsi/lpfc/lpfc_init.c

+2 −2
Original line number Diff line number Diff line
@@ -14721,7 +14721,7 @@ lpfc_write_firmware(const struct firmware *fw, void *context) 
int

lpfc_sli4_request_firmware_update(struct lpfc_hba *phba, uint8_t fw_upgrade)

{

	uint8_t file_name[ELX_MODEL_NAME_SIZE];

	char file_name[ELX_FW_NAME_SIZE] = {0};

	int ret;

	const struct firmware *fw;
@@ -14730,7 +14730,7 @@ lpfc_sli4_request_firmware_update(struct lpfc_hba *phba, uint8_t fw_upgrade) 
	    LPFC_SLI_INTF_IF_TYPE_2)

		return -EPERM;



	snprintf(file_name, ELX_MODEL_NAME_SIZE, "%s.grp", phba->ModelName);

	scnprintf(file_name, sizeof(file_name), "%s.grp", phba->ModelName);



	if (fw_upgrade == INT_FW_UPGRADE) {

		ret = request_firmware_nowait(THIS_MODULE, FW_ACTION_UEVENT,